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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the 
fee set forth in 37 CFR 1 .17(e), was filed in this application after final rejection. 
Since this application is eligible for continued examination under 37 CFR 1.114, 
and the fee set forth in 37 CFR 1 .1 7(e) has been timely paid, the finality of the 
previous Office action has been withdrawn pursuant to 37 CFR 1 .1 14. 
Applicant's submission filed on 8/04/2008 has been entered. 

Response to Arguments 

Applicant has amended to include " wherein the policy object model 
comprises a plurality of policy action classes representing at least a deny, permit 
and log actions of the service on at least one packet. " 

The Applicant has pointed to Paragraphs [0041, 0048] of the Specification 
as support. The Applicant argues that "Nowhere does Terzis describe a plurality 
of policy action classes representing at least a deny, permit and log actions of the 
service on at least one packet (Remarks page 9)" 

Figure 6 of Terzis shows the Policy Object class, 600. Under the Policy 
Object is the Policy Component 610 and the Policy Rule 670. One of the 
PolicyRules is ResourceAccessRule 675 which includes "Allowldentifiers, 
Deny Identifiers, and Log." 
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According to Paragraph [0105] Policy Object 600 is an "abstract base 
class." Paragraph [01 18] teaches Policy Rules 670 is "an abstract class that all 
policy rules derive from." 

As such, Terzis teaches "wherein the policy object model comprises a 
plurality of policy action classes representing at least a deny, permit and log 
actions on the service of on at least one packet." 

Therefore the Examiner considers the Applicants arguments 
unpersuasive. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

This application currently names joint inventors. In considering 
patentability of the claims under 35 U.S.C. 1 03(a), the examiner presumes that 
the subject matter of the various claims was commonly owned at the time any 
inventions covered therein were made absent any evidence to the contrary. 
Applicant is advised of the obligation under 37 CFR 1 .56 to point out the inventor 
and invention dates of each claim that was not commonly owned at the time a 
later invention was made in order for the examiner to consider the applicability of 
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35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) prior art under 35 
U.S.C. 103(a). 

Claims 7-31 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Terzis (20040243835) in view of Lambert (20020099952). 



Regarding Claim 7, 

Terzis teaches an object model for managing a service on a computer, the 
object model comprising: 

A policy object model for specifying 

by a first user, at least one first policy that the service supports in a 
packet-centric form ("the subsystems include a firewall... The firewall operates at layer 
4 (transport) . . . The firewall serves to prevent unauthorized access of a network. . .by 
filtering out packets that originate from unauthorized users or sources. Performing 
filtering of packets can be effective in deterring certain types of unauthorized access 
attempts, but requires inspection of each packet" Paragraph [0089]) ("The resource 
access rules are used to control which users have access to what resources. The 
resource access rules define priority... The priority assigns a priority to the rule as each 
new incoming flow is evaluated against each of the policy rules according to their 
priority" Paragraph [01 20]) and 

by a second user, at least one second policy by selecting a security level 
from a plurality of security levels, with each security level from the plurality of 
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security levels being previously set for a specified user ("the policy engine talks to 
the components on the data plane to install and remove filters in response to policy 
rules, " Paragraph [0062]) ("The policies can be determined both by the identity of the 
user as well as by the group the user is associated with.. .Based on the policies 
associated with that user, a set of specific access rules are generated that enable the 
subsystems to provide filtering and deny access to prohibited resources and services" 
Paragraph [0089]) ("The resource access rules are used to control which users have 
access to what resources. The resource access rules define... permission level" 
Paragraph [0120]) The Examiner interprets permission level as the security level. 

wherein the policy object model comprises a plurality of policy action 
classes representing at least a deny, permit and log actions of the service on at 
least one packet 

(Figure 6 of Terzis shows the Policy Object class, 600. Under the Policy Object is 
the Policy Component 610 and the Policy Rule 670. One of the PolicyRules is 
ResourceAccessRule 675 which includes "Allowldentifiers, Denyldentifiers, and Log." 

According to Paragraph [0105] Policy Object 600 is an "abstract base class." 
Paragraph [01 18] teaches Policy Rules 670 is "an abstract class that all policy rules 
derive from. " 

As such, Terzis teaches "wherein the policy object model comprises a plurality of 
policy action classes representing at least a deny, permit and log actions on the service 
of on at least one packet. ") 

A policy engine platform for interacting of the first user with the at least 
one first policy and of the second user with the at least one second policy, and to 
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provide the at least one first policy and the at least one second policy to at least 
one component that performs the service. 

("The policy interpreter interfaces to the SNMP Agent, " Paragraph [0064], Fig 7.) 

The Examiner interprets the policy object model as the "policy engine" and 
policy engine platform as "policy interpreter." 

As seen in Fig. 7, the Policy Interpreter acts as an intermediary between 
the SNMP agent and the Policy engine. Because the purpose of a SNMP agent 
is to facilitate information between network components and the purpose of the 
policy engine is to provide policies, it is inherent that the policy interpreter will 
provide one or more policies of which one will actually perform the service. 

Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing 
the at least first policy by the first user. ("The interface between the policy engine 
and the SNMP agent may be used to add and delete policy objects" Paragraph [0064]) 

Terzis teaches a setting editor that is configured by the first user to select 
a security level from the plurality of security levels for the second user, ("an 
operator may be able to enter a set of human readable access rules that define what 
resources and services are accessible to that user (or machine). According to one 
embodiment, these human readable access rules are stored as policy objects. " 
Paragraph [0136]) ("the policy engine talks to the components on the data plane to 
install and remove filters in response to policy rules, " Paragraph [0062]) ("The policies 
can be determined both by the identity of the user as well as by the group the user is 
associated with... Based on the policies associated with that user, a set of specific 
access rules are generated that enable the subsystems to provide filtering and deny 
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access to prohibited resources and services" Paragraph [0089]) ("The resource access 
rules are used to control which users have access to what resources. The resource 
access rules define... permission level" Paragraph [0120]) The Examiner interprets 
permission level as the security level. 

Terzis does not explicitly teach if it has been determined that the first user 
is authorized to perform the specification by comparing a rank of the first user 
against a permitted rank. The Examiner interprets a permitted rank as the 
priority level, as described by the Applicant in pg. 8 of Remarks, "A policy 
provider is associated with a particular priority class or level" (Paragraph [0051] 
of Specification). 

Lambert teaches determining whether a first user is authorized to perform 
the specification by comparing a rank of the first user to a permitted rank before 
specifying a pol icy. ("the group policy objects. . .may be provided by administrators 
per site, domain, organizational unit, group and user. Among other things, group policy 
technology also provides a flexible and hierarchical way in which each administrator 
can establish which policies will win out over others if multiple policies conflict. For 
example, site policies can be set up to prevail over domain policies, which in turn can 
be set up to prevail over organizational unit policies. ..." Paragraph [0080]) 

It would have been obvious to one of ordinary skill in the art at the time of 
the invention to modify the object model of Terzis with the policy provider priority 
ranking system of Lambert. 

The motivation is that Lambert teaches a well known way to deal with 
conflicts with group policy objects. 
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Regarding Claims 11 and 12, 

Terzis and Lambert teach the object model of claim 7, Terzis further 
teaches wherein the policy engine platform comprises a setting editor configured 
to automatically generate a policy based upon an application and user 
combination, wherein the setting editor generates a plurality of policies, and is 
further configured to permit said second user to select from the plurality of 
policies. 

("After a user has successfully logged [in]. ..the Launch-pad module may contact 
the policy engine to receive the list of resources that are available to that user... Once 
fount the policy user may return each of the resources in those rules back to the 
Launch-pad module, Paragraph [0065]) 

Where the Launch-pad is defined as a user interface in Paragraph 100. 
The launch pad screen is capable of displaying "applications... that are 
specifically made available to that user (Paragraph 106). 

The Examiner interprets the second user to be an administrator that 
implements user-centric policies. (The resource access rules are used to control 
which users have access to what resources. Paragraph [0120]) 



Regarding Claim 13, 
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Terzis and Lambert teach the object model of claim 12, Terzis further 
teaches wherein the setting editor is further configured by said second userjo 
permit setting one of the plurality of policies as a default policy. 

("generating, based on the access policies, at least one access rule for each of a 
plurality of security system sublayers, " Claim 1) 

The Examiner interprets the at least one access rule as the default policy. 

The Examiner interprets the second user to be an administrator that 
implements user-centric policies. (The resource access rules are used to control 
which users have access to what resources. Paragraph [0120]) 

Regarding Claim 14, 

Terzis and Lambert teach the object model of claim 7, Terzis further 
teaches wherein the policy engine platform comprises a rule explorer for 
providing a view of the at least one first policy and the at least one second 
policy. 

Because the policy interpreter interfaces between the SNMP agent and 
the policy engine (Fig. 7) it is inherent that there will be a component that allows 
a view of one or more of the policies. 



Regarding Claim 15, 
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Terzis and Lambert teach the object model of claim 7, Terzis further 
teaches wherein the policy object model comprises a policyrule object usable to 
generate policy, the policyrule object comprising a condition property and an 
action property, wherein a policy generated by the policyrule object is configured 
to perform an action in the action property responsive to a condition in the 
condition property being met. (Fig. 6, 670) 

Regarding Claim 16, 

Terzis and Lambert teach the object model of claim 7, Terzis further 
teaches wherein the service is a firewall service. ("According to one embodiment 
the rules are generated and installed at the firewall level" Paragraph [0019]) 

Regarding Claim 17, 

Terzis and Lambert teach the object model of claim 7, Terzis further 
teaches wherein the policy engine platform is configured to deny providing said 
one or more policies to the component if a requester is not authorized. {"Based 
on the policies associated with that user, a set of specific access rules are generated 
that enable the subsystems to provide filtering and deny access to prohibited resources 
and services. " Paragraph [0088]) 
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Terzis and Lambert teach the object model of claim 17, Terzis further 
teaches wherein determining whether a requester is authorized comprises 
comparing a provider rank for the requester against a permitted rank, and if the 
provider rank for the requestor does not meet or exceed the permitted rank, 
denying the requester. (Fig 6. 675, PermissionLevel) 

The Examiner interprets the parameter PermissionLevel under the 
Resource Access Rules as rank. Where the PermissionLevel is checked against 
a permitted PermissionLevel and if the PermissionLevel does not meet or 
exceed the permitted rank, to deny the requestor. 

Regarding Claim 19, 

Terzis and Lambert teach a method of managing a service on a 
computer, the method comprising: 

specifying, via a policy object model, by a first user , one or more policies 
that the service supports in a packet-centric form ("the subsystems include a 
firewall. . . The firewall operates at layer 4 (transport) . . . The firewall serves to prevent 
unauthorized access of a network. . .by filtering out packets that originate from 
unauthorized users or sources. Performing filtering of packets can be effective in 
deterring certain types of unauthorized access attempts, but requires inspection of each 
packet" Paragraph [0089]), and, by a second user, at least one second policy by 
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selecting a security level from a plurality of security levels, with each security 
level from the plurality of security levels being previously set for a specified 
application and a specified user; ("The policy engine talks to the components on the 
data plane to install and remove filters in response to policy rules, " Paragraph [0062]) 
("The resource access rules are used to control which users have access to what 
resources. The resource access rules define... permission level" Paragraph [0120]) The 
Examiner interprets permission level as the security level. 

wherein the policy object model comprises a plurality of policy action 
classes representing at least a deny, permit and log actions of the service on at 
least one packet 

(Figure 6 of Terzis shows the Policy Object class, 600. Under the Policy Object is 
the Policy Component 610 and the Policy Rule 670. One of the PolicyRules is 
ResourceAccessRule 675 which includes "Allowldentifiers, Denyldentifiers, and Log." 

According to Paragraph [0105] Policy Object 600 is an "abstract base class." 
Paragraph [01 18] teaches Policy Rules 670 is "an abstract class that all policy rules 
derive from. " 

As such, Terzis teaches "wherein the policy object model comprises a plurality of 
policy action classes representing at least a deny, permit and log actions on the service 
of on at least one packet. ") 

and interacting, via a policy engine platform, of said first user at least one 
first policy specified in said packet-centric form, and of said second user with 
said one or more policies specified in said user-centric form and/or said 
application-centric form; ("the Launch-pad module may contact the policy engine to 
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receive the list of resources that are available" Paragraph [0065]) ("The resource 
access rules are used to control which users have access to what resources. The 
resource access rules define... permission level" Paragraph [0120]) The Examiner 
interprets permission level as the security level. 

and providing, via the policy engine platform, said one or more policies to 
said at least one component that actually performs the service. ("Once found the 
policy engine may return each of the resources in those rules back to the Launch-pad 
module" Paragraph [0065]) 

Terzis teaches "the subsystems include a firewall... The firewall operates at layer 
4 (transport)... The firewall serves to prevent unauthorized access of a network... by 
filtering out packets that originate from unauthorized users or sources. Performing 
filtering of packets can be effective in deterring certain types of unauthorized access 
attempts, but requires inspection of each packet. (Paragraph [0089])." Terzis further 
teaches ""The policies can be determined both by the identity of the user as well as by 
the group the user is associated with... Based on the policies associated with that user, 
a set of specific access rules are generated that enable the subsystems to provide 
filtering and deny access to prohibited resources and services" Paragraph [0089]) 

The Examiner interprets the first user to be an administrator that 
implements packet-centric policies. (The security rules 690 may describe how 
packets matching the source, destination objects should be secured. Paragraph [0130]) 

The Examiner interprets the second user to be an administrator that 
implements user-centric policies. (The resource access rules are used to control 
which users have access to what resources. Paragraph [0120]) 
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Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing 
the at least first policy by the first user. ("The interface between the policy engine 
and the SNMP agent may be used to add and delete policy objects" Paragraph [0064]) 

Terzis teaches a setting editor that is configured by the first user to select 
a security level from the plurality of security levels for the second user, ("an 
operator may be able to enter a set of human readable access rules that define what 
resources and services are accessible to that user (or machine). According to one 
embodiment, these human readable access rules are stored as policy objects. " 
Paragraph [0136]) ("the policy engine talks to the components on the data plane to 
install and remove filters in response to policy rules, " Paragraph [0062]) ("The policies 
can be determined both by the identity of the user as well as by the group the user is 
associated with... Based on the policies associated with that user, a set of specific 
access rules are generated that enable the subsystems to provide filtering and deny 
access to prohibited resources and services" Paragraph [0089]) ("The resource access 
rules are used to control which users have access to what resources. The resource 
access rules define... permission level" Paragraph [0120]) The Examiner interprets 
permission level as the security level. 

Terzis does not explicitly teach if it has been determined that the first user 
is authorized to perform the specification by comparing a rank of the first user 
against a permitted rank. The Examiner interprets a permitted rank as the 
priority level, as described by the Applicant in pg. 8 of Remarks, "A policy 
provider is associated with a particular priority class or level" (Paragraph [0051] 
of Specification). 
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Lambert teaches determining whether a first user is authorized to perform 
the specification by comparing a rank of the first user to a permitted rank before 
specifying a pol icy. ("the group policy objects. . .may be provided by administrators 
per site, domain, organizational unit, group and user. Among other things, group policy 
technology also provides a flexible and hierarchical way in which each administrator 
can establish which policies will win out over others if multiple policies conflict. For 
example, site policies can be set up to prevail over domain policies, which in turn can 
be set up to prevail over organizational unit policies. ..." Paragraph [0080]) 

It would have been obvious to one of ordinary skill in the art at the time of 
the invention to modify the object model of Terzis with the policy provider priority 
ranking system of Lambert. 

The motivation is that Lambert teaches a well known way to deal with 
conflicts with group policy objects. 

Regarding Claim 20, 

Terzis and Lambert teach the method of claim 19, Terzis further teaches 
further comprising automatically generating a policy based upon an application 
and user combination. "After a user has successfully logged into the MACSS, the 
Launch-pad module may contact the policy engine to receive the list of resources that 
are available to that user, " Paragraph [0065]) 



Regarding Claim 21, 
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Terzis and Lambert teach the method of claim 20, Terzis further teaches 
further comprising generates a plurality of policies, and permitting a user to 
select from the plurality of policies . ("Once found the policy engine may return each 
of the resources in those rules back to the Launch-pad module" Paragraph [0065]) 

As described before the Launch-pad module is a user interface. 
Examples can be found in Fig. 4 and Fig. 5. 

Regarding Claim 22, 

Terzis and Lambert teach the method of claim 21 , Terzis further teaches 
further comprising setting one of the plurality of policies as a default policy. 
("generating, based on the access policies, at least one access rule for each of a 
plurality of security system sublayers, " Claim 1) 

The Examiner interprets the at least one access rule as the default policy. 

Regarding Claim 23, 

Terzis and Lambert teach the method of claim 22, Terzis further teaches 
further comprising authorizing a user prior to allowing the user to select the at 
least one policy from the plurality of policies. 

It is inherent that the system administrator is authorized prior to selecting 
one policy from a plurality of policies. ("A system administrator uses user 
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interfaces... to create access/security rules that allow users access to specific network 
resources based on a variety of parameters" Paragraph [0056]) 

Regarding Claim 24, 

Terzis and Lambert teach an object model embodied on a computer- 
readable medium for managing a firewall service on a computer, the object 
model comprising a policy object model used to specify, by a first user,_ one or 
more policies that the firewall service supports in a packet-centric form, and, by 
a second user at least one second policy by selectin g a security level from a 
plurality of security levels, with each security level from the plurality of security 
levels being previously set for a specified application and a specified user ("The 
resource access rules are used to control which users have access to what resources. 
The resource access rules define... permission level" Paragraph [0120], The Examiner 
interprets permission level as the security level), the policy model comprising a 
policyrule object usable to generate policy (Fig. 6, PolicyRule, 670), the policyrule 
object comprising a condition property and an action property, wherein a policy 
generated by the policyrule object is configured to perform an action in the 
action property responsive to a condition in the condition property being met. 

It is inherent that the policy rule is configured to perform an action 
responsive to a condition being met. 

Terzis teaches "the subsystems include a firewall... The firewall operates at layer 
4 (transport) . . . The firewall serves to prevent unauthorized access of a network. . .by 
filtering out packets that originate from unauthorized users or sources. Performing 
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filtering of packets can be effective in deterring certain types of unauthorized access 
attempts, but requires inspection of each packet. (Paragraph [0089]). " Terzis further 
teaches ""The policies can be determined both by the identity of the user as well as by 
the group the user is associated with... Based on the policies associated with that user, 
a set of specific access rules are generated that enable the subsystems to provide 
filtering and deny access to prohibited resources and services" Paragraph [0089]) 
wherein the policy object model comprises a plurality of policy action 
classes representing at least a deny, permit and log actions of the service on at 
least one packet 

(Figure 6 of Terzis shows the Policy Object class, 600. Under the Policy Object is 
the Policy Component 610 and the Policy Rule 670. One of the PolicyRules is 
ResourceAccessRule 675 which includes "Allowldentifiers, Denyldentifiers, and Log." 

According to Paragraph [0105] Policy Object 600 is an "abstract base class." 
Paragraph [01 18] teaches Policy Rules 670 is "an abstract class that all policy rules 
derive from. " 

As such, Terzis teaches "wherein the policy object model comprises a plurality of 
policy action classes representing at least a deny, permit and log actions on the service 
of on at least one packet. ") 

The Examiner interprets the first user to be an administrator that 
implements packet-centric policies. (The security rules 690 may describe how 
packets matching the source, destination objects should be secured. Paragraph [0130]) 
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The Examiner interprets the second user to be an administrator that 
implements user-centric policies. (The resource access rules are used to control 
which users have access to what resources. Paragraph [0120]) 

Terzis teaches the policy engine platform comprises a rule editor that is 
configured by the first user to perform at least one of deleting, adding, editing 
the at least first policy by the first user. ("The interface between the policy engine 
and the SNMP agent may be used to add and delete policy objects" Paragraph [0064]) 

Terzis teaches a setting editor that is configured by the first user to select 
a security level from the plurality of security levels for the second user, ("an 
operator may be able to enter a set of human readable access rules that define what 
resources and services are accessible to that user (or machine). According to one 
embodiment, these human readable access rules are stored as policy objects. " 
Paragraph [0136]) ("the policy engine talks to the components on the data plane to 
install and remove filters in response to policy rules, " Paragraph [0062]) ("The policies 
can be determined both by the identity of the user as well as by the group the user is 
associated with... Based on the policies associated with that user, a set of specific 
access rules are generated that enable the subsystems to provide filtering and deny 
access to prohibited resources and services" Paragraph [0089]) ("The resource access 
rules are used to control which users have access to what resources. The resource 
access rules define... permission level" Paragraph [0120]) The Examiner interprets 
permission level as the security level. 

Terzis does not explicitly teach if it has been determined that the first user 
is authorized to perform the specification by comparing a rank of the first user 
against a permitted rank. The Examiner interprets a permitted rank as the 
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priority level, as described by the Applicant in pg. 8 of Remarks, "A policy 
provider is associated with a particular priority class or level" (Paragraph [0051] 
of Specification). 

Lambert teaches determining whether a first user is authorized to perform 
the specification by comparing a rank of the first user to a permitted rank before 
specifying a pol icy. ("the group policy objects. . .may be provided by administrators 
per site, domain, organizational unit, group and user. Among other things, group policy 
technology also provides a flexible and hierarchical way in which each administrator 
can establish which policies will win out over others if multiple policies conflict. For 
example, site policies can be set up to prevail over domain policies, which in turn can 
be set up to prevail over organizational unit policies...." Paragraph [0080]) 

It would have been obvious to one of ordinary skill in the art at the time of 
the invention to modify the object model of Terzis with the policy provider priority 
ranking system of Lambert. 

The motivation is that Lambert teaches a well known way to deal with 
conflicts with group policy objects. 

Regarding Claim 25, 



Terzis and Lambert teach the object model of claim 24, Terzis further 
teaches further comprising an IPSecRule derived from the policyrule object, the 
IPSecRule being configured to trigger an IPSec callout when an IPSec condition 
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is matched, and to indicate configuration parameters for securing traffic related 
to the callout. (Fig. 14, 1440). 

The services dispatcher connects to the launch-pad which connects to the 
policy engine. 

Regarding Claim 26, 

Terzis and Lambert teach the object model of claim 25, Terzis further 
teaches wherein the IPSecRule evaluates a standard 5-tuple to determine if a 
condition has been met. (Fig. 11) 

Regarding Claim 27, 

Terzis and Lambert teach the object model of claim 24, Terzis further 
teaches further comprising a KeyingModuleRule derived from the policyrule 
object, the KeyingModuleRule being configured to select which key negotiation 
module to use when there is no existing secure channel to a remote peer. 

("The key exchange field specifies how keys are exchanged and determines 
what key parameters will be used." Paragraph [0130]) 

The Examiner interprets key negotiation as key exchange. The Examiner 
notes that the key exchange field is part of the security rules, which is part of the 
policy rules. 
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Regarding Claim 28, 

Terzis and Lambert teach the object model of claim 27, Terzis further 
teaches wherein the KeyingModuleRule evaluates a standard 5-tuple to 
determine if a condition has been met. (Fig. 11) 

Regarding Claim 29, 

Terzis and Lambert teach the object model of claim 24, Terzis further 
teaches further comprising a IKERule derived from the policyrule object and 
configured to specify the parameters for carrying out Internet Key Exchange key 
negotiation protocol. (Fig. 14, IKE) 

Regarding Claim 30, 

Terzis and Lambert teach the object model of claim 29, Terzis further 
teaches wherein the IKERule evaluates a local address and a remote address to 
determine if a condition has been met. This step is inherent in IKE protocol. 



Regarding Claim 31, 
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Terzis and Lambert teach the object model of claim 29, Terzis further 
teaches wherein the IKERule comprises an IKEAction action property that 
defines the authentication methods for performing Internet Key Exchange key 
negotiation protocol. ("The key exchange field specifies how keys are exchanged and 
determines what key parameters will be used." Paragraph [0130]) 



Conclusion 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to HARRIS C. WANG whose telephone number 
is (571 )270-1462. The examiner can normally be reached on M-F 9-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, KAMBIZ ZAND can be reached on (571) 272-381 1 . The 
fax phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 



/Harris C Wang/ 
Examiner, Art Unit 2439 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



